Detecting and deploying countermeasures against an autonomous browser

ABSTRACT

A computer system configured to improve security of server computers interacting with client computers, the system comprising: one or more processors executing instructions that cause the one or more processors to: select, from the plurality of detection tests, one or more first detection tests to be performed by a client computer; send, to the client computer, a first set of detection instructions that define the one or more first detection tests, and which when executed causes generating a first set of results that identifies a first set of characteristics of the client computer; receive the first set of results from the client computer; select one or more first countermeasures from a plurality of countermeasures based on the first set of characteristics identified in the first set of results; send, to the client computer, a first set of countermeasure instructions that define the one or more first countermeasures.

BENEFIT CLAIM

This application claims the benefit under 35 U.S.C. 120 as aContinuation of U.S. patent application Ser. No. 15/430,224, filed onFeb. 10, 2017 (to issue as U.S. Pat. No. 10,326,790 on Jun. 18, 2019),which claims the benefit under 35 U.S.C. § 119(e) of provisionalapplication 62/294,981, filed Feb. 12, 2016, the entire contents ofwhich are hereby incorporated by reference for all purposes as if fullyset forth herein. The applicant(s) hereby rescind any disclaimer ofclaim scope in the parent application(s) or the prosecution historythereof and advise the USPTO that the claims in this application may bebroader than any claim in the parent application(s).

FIELD OF THE DISCLOSURE

The present disclosure generally relates to security techniquesapplicable to client/server computer systems, and relates morespecifically to techniques for detecting whether a client computerinteracting with server computers through an intermediary computer is aheadless or autonomous browser (also referred to a bot) or a browseroperated by a legitimate user. SUGGESTED GROUP ART UNIT: 2447; SUGGESTEDCLASSIFICATION: 709/217.

BACKGROUND

The approaches described in this section are approaches that could bepursued, but not necessarily approaches that have been previouslyconceived or pursued. Therefore, unless otherwise indicated, it shouldnot be assumed that any of the approaches described in this sectionqualify as prior art merely by virtue of their inclusion in thissection.

Browsers are powerful computer programs that may request and executeinstructions received from a web server to generate complex userinterfaces that are presented to a user through one or more devices,such as a monitor or speakers. In response to input from a userindicating that the user selected an object defined in the instructions,a browser may send a request based on the selected object to the webserver. The request may be a request for data or include data to beprocessed by the web server. For example, a browser may present a webpage from a web server that defines a form, a user may enter data intoone or more fields in the form, select a submit button. In response thebrowser may generate request that includes the data entered into the oneor more fields, and send the request to the web server.

Attackers may use software, often referred to as a “bot” or “headlessbrowser”, which imitates a browser and a user by receiving instructionsfrom a web server and autonomously generating requests based on thoseinstructions. For example, a bot may receive a web page, gather data inone or more objects defined in the web page, and generate a request foranother web page to gather additional data, as if a user using a browserwas requesting a new web page. Also for example, a bot may generate andsend a request with data assigned to one or more parameters thatcorrespond to fields in a web page to simulate a user submitting data toa web server through a browser.

Attackers may use bots to commit many types of unauthorized acts, crimesor computer fraud, such as web site or content scraping, ratingsmanipulation, fake account creation, reserving rival goods attacks,credential stuffing attacks, password snooping, vulnerabilityassessments, brute force attacks, click fraud, DDoS attacks, biddingwars, and system fingerprinting attacks. As a specific example, amalicious user may cause a bot to traverse through pages of a web siteand collect private or proprietary data, such as emails of all employeesor prices of competitive products.

Web server administrators may wish to prevent malicious users fromattacking the site, while allowing legitimate users to use the site asintended. However, determining which requests are generated by alegitimate user using a web browser and a malicious user using a bot maybe difficult.

SUMMARY

The appended claims may serve as a summary of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 illustrates a system for characterizing a client device, andselecting one or more countermeasures for a client device in an exampleembodiment.

FIG. 2 illustrates a system and timeline over which various clientdevices submit requests that include a challenge solution or signal to asecurity server computer system in an example embodiment.

FIG. 3 illustrates an example embodiment of a network topography forcommunicating requests and content between origin server computers andclient computing devices via a security server computer and a contentdelivery network (CDN).

FIG. 4 illustrates a process for testing client devices and selectingcountermeasures based on one or more signals in an example embodiment.

FIG. 5 is a swim lane diagram of for selecting and updating securitycountermeasures for a client device in an example embodiment.

FIG. 6 illustrates an example computer system for serving content,tests, or countermeasures in an example embodiment.

FIG. 7 illustrates a computer system upon which an embodiment may beimplemented.

While each of the drawing figures illustrates a particular embodimentfor purposes of illustrating a clear example, other embodiments mayomit, add to, reorder, or modify any of the elements shown in thedrawing figures. For purposes of illustrating clear examples, one ormore figures may be described with reference to one or more otherfigures, but using the particular arrangement illustrated in the one ormore other figures is not required in other embodiments. Furthermore,while the instructions discussed in many example embodiments areHyperText Markup Language (“HTML”) and JavaScript instructions, in otherembodiments, the instructions intercepted and generated may be any otherstandard or proprietary instructions configured to be executed by aclient computer.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. It will be apparent, however,that the present invention may be practiced without these specificdetails. In other instances, well-known structures and devices are shownin block diagram form in order to avoid unnecessarily obscuring thepresent invention. Words, such as “or”, may be inclusive or exclusiveunless expressly stated otherwise; a “set” may comprise zero, one, ortwo or more elements. For example, a set of instructions may compriseone or more instructions. One or more of a first set of objects or asecond set of objects may be one or more of the first set of objects orone or more of the second set of objects.

Embodiments discussed herein provide numerous benefits and improvementsover the general idea of processing data from a client computer. Theembodiments discussed here increase the resistance of server computersand database systems to computer attacks. For example, using the methodsand system discussed herein, a server computer may detect or identifythe browser, or type of browser, receiving a web page, processing theweb page, and generating one or more requests based on the web page. Atype of browser may include versions of a particular browser, one ormore commercial browsers that are known to be legitimate, one or morebrowsers that are known to be legitimate bots (such as a search engineweb crawler), one or more browsers that are known to be malicious bots,or any other set of browsers.

Embodiments are described herein according to the following outline:

-   -   1.0 General Overview        -   1.1 Tests, Countermeasures, and Rules        -   1.2 Signals        -   1.3 Countermeasures        -   1.4 Rules        -   1.5 Security Server Computer System    -   2.0 Selecting Countermeasures        -   2.1 Weighting Test Results or Signals    -   3.0 Example System and process for Selecting and Sending Tests        and Countermeasures        -   3.1 Transmission Handler        -   3.2 Client Device            -   3.2.1 Test Environment        -   3.3 Example Process for Selecting One or More Tests or            Countermeasures            -   3.3.1 Selecting and Sending a First Set of Tests            -   3.3.2 Receiving Signals from the First Set of Tests            -   3.3.3 Selecting and Sending a Second Set of Tests based                on the First Set of Tests            -   3.3.4 Receiving Signals from the Second Set of Tests and                Selecting a Set of Countermeasures            -   3.3.5 Executing or Sending the Set of Countermeasures to                the Client Computer    -   4.0 Configurations        -   4.1 Passive or Reporting Mode        -   4.2 Active Mode        -   4.3 Real-Time Mode        -   4.4 In-Band and Out of Band Configuration    -   5.0 Example Interactions between Client Computers and a Security        Server Computer    -   6.0 Example Network Configuration    -   7.0 Example Process for Testing a Client Computer and Selecting        Countermeasures    -   8.0 Example Network Configuration and Security Server Computers    -   9.0 Implementation Mechanisms—Hardware Overview    -   10.0 Other Aspects of Disclosure

1.0 General Overview

In an embodiment, a computer system configured to improve security ofone or more server computers interacting with one or more clientcomputers, the system comprising: one or more processors; a memorycoupled to the one or more processors and storing a set of instructionsthat define a plurality of detection tests and which, when executed bythe one or more processors, cause the one or more processors to: select,from the plurality of detection tests, one or more first detection teststo be performed by a client computer; send, to the client computer, afirst set of detection instructions that define the one or more firstdetection tests, and which when executed causes generating a first setof results that identifies a first set of characteristics of the clientcomputer; receive the first set of results from the client computer;select one or more first countermeasures from a plurality ofcountermeasures based on the first set of characteristics identified inthe first set of results; send, to the client computer, a first set ofcountermeasure instructions that define the one or more firstcountermeasures.

In an embodiment, the first set of characteristics indicates that theclient computer is executing an instance of a particular browser; theone or more first countermeasures are targeted toward the particularbrowser; the one or more first countermeasures are associated with theparticular browser; and the one or more first countermeasures areselected based on determining that the one or more first countermeasuresare associated with the particular browser.

In an embodiment, the instructions, when executed, cause the one or moreprocessors to: select, from the plurality of detection tests, one ormore second detection tests to be performed by the client computer,wherein the one or more second detection tests are different than theone or more first detection tests; send, to the client computer, asecond set of detection instructions that define the one or more seconddetection tests, and which when executed causes generating a second setof data that identifies a second set of characteristics of the clientcomputer; receive the second set of data from the client computer;wherein selecting the one or more first countermeasures from theplurality of countermeasures is also based on the second set of data.

In an embodiment, a particular detection test among the one or morefirst detection tests is associated with the one or more seconddetection tests; the first set of results indicates a particular resultbased on the particular detection test; the one or more second detectiontests are selected in response to determining that the first set ofresults included the particular result.

In an embodiment, the first set of results indicates that the clientcomputer is executing an instance of a particular browser that matchesone or more characteristics of a first browser and a second browser;wherein the computer system further comprises instructions which whenexecuted cause the one or more processors to: select, from the pluralityof detection tests, one or more second detection tests to be performedby the client computer, wherein the one or more second detection testsare associated with the first browser and the second browser, and theone or more second detection tests are different than the one or morefirst detection tests; send, to the client computer, a second set ofdetection instructions that define the one or more second detectiontests, and which when executed causes generating a second set of datathat identifies a second set of characteristics of the client computer;receive, from the client computer, the second set of data that identifythe second set of characteristics; determine, from the second set ofcharacteristics, that the particular browser that is being executed bythe client computer is the first browser and not the second browser;determine that the one or more first countermeasures are associated withthe first browser; wherein selecting the one or more firstcountermeasures from the plurality of countermeasures is based ondetermining that the one or more first countermeasures are associatedwith the first browser.

A “computer” or “device” may be one or more physical computers, virtualcomputers, or computing devices. As an example, a computer may be one ormore server computers, cloud-based computers, cloud-based cluster ofcomputers, virtual machine instances or virtual machine computingelements such as virtual processors, storage and memory, data centers,storage devices, desktop computers, laptop computers, mobile devices, orany other special-purpose computing devices. Any reference to “acomputer” herein may mean one or more computers, unless expressly statedotherwise.

1.1 Tests, Countermeasures, and Rules

Systems, methods, devices, and techniques for causing tests to beperformed by, or implementing countermeasures against, client computingdevices that request resources, such as web page resources, arediscussed herein. The test results from a client device may characterizecapabilities and characteristics of the client device. Test results mayalso be referred to herein as signals. Security countermeasures may beapplied to code served to the client device based on analysis of thesignals generated by, and returned from, the client device.

Signals may be received over multiple requests from a client device thatperformed the tests or generated the signals. For example, a first setor round of one or more tests may be sent to a client device. The clientdevice may execute the one or more tests to produce a first set of oneor more test results or signals. The client device may send, and asecurity server computer system may receive, the first set of testresults or signals. The security server computer system may use thosesignals to select one or more additional tests to be sent to the clientdevice. Accordingly, the client device may execute the one or moreadditional tests to produce a second set of one or more test results orsignals. The client device may send, and a security server computersystem may receive, the second set of test results or signals. Thesignals returned from the two rounds of testing may then be used toselect one or more countermeasures to apply against the client device.Additionally, or alternatively, the signals may be analyzed alone or inaggregation with signals received from many other clients to betterselect and develop countermeasures that can be deployed in the future toprotect the web site that served the initial resources or other websites.

1.2 Tests

A test may comprise a one or more computer or browser executableinstructions. For example, a test may comprise one or more detectioninstructions discussed in U.S. application Ser. No. 14/859,084, filedSep. 18, 2015, and U.S. Provisional Application 62/053,022, filed Sep.19, 2014, each of which is hereby incorporated by reference for allpurposes as if fully set forth herein. Detection instructions may alsobe referred to herein as test code. The detection instructions may bewritten in JavaScript, HTML, or one or more other standard orproprietary languages that may be executed by a browser, executionenvironment, or computer processor. Tests may request additionalresources, such as images, style sheets, or additional tests, to collectthe signals enumerated herein or one or more other signals.

1.3 Signals

A signal or test result may be one or more values that are generated inresponse to executing or performing a test. For example, a signal maycomprise data discussed in U.S. application Ser. No. 14/859,084, filedSep. 18, 2015, and U.S. Provisional Application 62/053,022, filed Sep.19, 2014, each of which is hereby incorporated by reference for allpurposes as if fully set forth herein. One or more signals may be sentto a security server computer system using one or more requests. The oneor more requests may comprise one or more requests for additional data,such as a web page, or one or more requests that are sent asynchronouslyor separately from one or more requests for additional data. Signals caninclude one or more of the following properties of the browser:user-agent, computing endpoint identifier, network identifier, useridentifier.

1.4 Countermeasures

A countermeasure may comprise a one or more computer or browserexecutable instructions. For example, a countermeasure may comprise oneor more countermeasure instructions discussed in U.S. application Ser.No. 14/859,084, filed Sep. 18, 2015, and U.S. Provisional Application62/053,022, filed Sep. 19, 2014, each of which is hereby incorporated byreference for all purposes as if fully set forth herein. Countermeasureinstructions may also be referred to herein as countermeasure code. Thecountermeasure instructions may be written in JavaScript, HTML, or oneor more other standard or proprietary languages that may be executed bya browser, execution environment, or computer processor.

A countermeasure may be another test that is more computationallyexpensive. For example, a countermeasure may execute a computationallyexpensive proof of work operation in the background as the user does so,to prevent a near instantaneous follow-up by the client computer in casethe client computer happens to be operated by a bot that has beeninstructed to take part on a DoS attack. A countermeasure may be aresponse with an HTTP error. Another countermeasure may take the forminput and encode or encrypt it so that it cannot be altered orintercepted. For example, the countermeasure may present a field in aform as a number of spatially overlapping fields that are offset fromeach other by one character, so that as the user types input, eachcharacter is received by a successive field while looking to the userlike all the characters are being placed in a single long field. Thecountermeasure may then scramble the order of the characters beforesending them back to the security intermediary (which may furtherprocess the submitted communication before passing it onto the originserver computer).

1.5 Rules

Rules, like tests or countermeasures, may be discrete or composed by auser. For example, a user or system administrator may define rules in ascript or markup language. Rules may specify both how to classifyrequests, or client computers that send requests, as well as the actionto take in response to one or more signals or properties of a clientcomputer, software on the client computer, a request, a content servercomputer, or the security server computer.

1.6 Security Server Computer System

The security server computer system may comprise one or more servercomputers, or software that is executed on one or more server computers.The security server computer system may comprise a security intermediarythat resides physically and/or logically between an origin servercomputer system and the Internet, or the origin server computer systemand one or more client devices, may generate or send the client-sidetests, evaluate the signals generated from the tests, and selectsecurity countermeasures or perform additional analysis based on thesignals.

The security server computer system may be provided by a securitycompany to a separate company that provides a web site or applicationvia a web or content server computer system comprising to its customers,such as a bank, retailer, or other such company. The web or contentserver computer system may comprise one or more server computers. Forconvenience of expression the separate company may be referred to hereinas the application company. The content server computers may come underattack from illegitimate parties that want to interfere with theapplication company through a denial of service (“DoS”) attack or otherattacks. Illegitimate parties may want to obtain information from theapplication company or application company's customers for nefariouspurposes, such as stealing money from the separate company's electronicaccounts, or the separate company's customers' electronic accounts.

In one or more of the examples discussed herein, the security servercomputer system may be an intermediary that intercepts communicationsfrom the origin server computer system to client devices in order toinsert security countermeasures that would frustrate efforts byattackers. The security server computer system may likewise interceptcommunications from client devices to the origin server computer system.For example, the security server computer system may be a proxy for theorigin server computer system, which may isolate the origin servercomputer system from attacks in one or more requests. If the requestswould look unfamiliar to the origin server computer system because ofchanges the security server computer system may have made to code thatthe origin server computer system had earlier served, then the securityserver computer system may translate the requests so that they areusable by the origin server computer system.

In some implementations, a company that provides web services mayconveniently add a layer of security in front of its server computersystem (also referred to herein as origin server computer system), overthe content that it delivers to requesting clients, and in front ofdemands imposed by those clients. Such addition may occur with no orminimal effect or reprogramming/reconfiguration of the underlying originserver computer system of the company. Also, the security may beflexible and dynamic, in that it can be targeted to the particularcharacteristics of a particular requesting client, and can also changeas threats change, even as they change very rapidly across a large groupof users. Moreover, data for identifying threats can be aggregated by asecurity service provider across many of its clients so that new threatscan be identified more quickly and accurately, by analyzing signalssubmitted from a large number of different client devices that have beenserved content from a large number of different organizations, and dealtwith before they become a real problem.

Some implementations described herein can include a computer-implementedmethod. The method can include receiving at a security server computersystem a request for web resources from a client computer; selecting,from a plurality of available tests, one or more particular tests to beperformed by the client computer on itself, wherein each of theavailable tests comprise a series of operations to be performed toidentify characteristics of the client computer; serving, from thesecurity server computer system to the client computer, code forperforming the selected one or more particular tests and code forreporting results of performing the one or more particular tests; andbased on received signals from performing the one or more particulartests by the client computer, selecting from a plurality of availablesecurity countermeasures, one or more particular securitycountermeasures; and serving the requested web resources to the clientcomputer with the selected security countermeasures applied.

The method can also comprise analyzing the received signals fromperforming the one or more particular tests; and serving, from thesecurity server computer system to the client computer, code forperforming one or more follow-up tests that are selected based on theanalyzing, wherein the plurality of security countermeasures is selectedbased on the receiving signals form performing the one or moreparticular tests and received signals from performing the one or morefollow-up tests. The one or more tests may also comprise seeking userinput from a user of the client computer, and the signals fromperforming the one or more tests comprise signals that indicate whethera human user provided input. And the signals may indicate whether theclient computer was physically moved while the input was received.Moreover, the signals from performing the one or more tests can bepackaged by a transmission handler that is configured to obtain signalsfrom multiple independent tests performed on the client computer and toencode the signals to protect the signals from outside interference.

2.0 Selecting Countermeasures

A security server computer system may select one or more particularcountermeasures that are targeted to characteristics of a particularclient device that is requesting content. The characteristics of theparticular client device may be determined from signals received fromthe particular client device as discussed herein.

The signals may be used to determine whether the device is operated by ahuman operator or by a bot. For example, a first test may seek userinput on a client device; the code for executing the test may present aninput field on the client device and may obtain motion data of thedevice when an actual human user inputs data into the input field. Ifthe device has been identified as a putative, legitimate, or actual userusing a client device, but signals from the test indicate that motiondata was not collected when data is entered into the input field, thenthe security server computer system may determine that the client deviceis not currently being operated by a human user whose physical inputwould likely cause the device to move as characters displayed on thedevice are tapped. Additionally, or alternatively, in response toreceiving the signal(s) from the first test indicating that the clientdevice was not moved when data was entered into the input field, thesecurity server computer system may send a second, follow-up test toconfirm, whether the device is truly a client device that is operated bya legitimate user, such as a user that use voice commands to enter thedata, or not. The second test may be different than the first test.

Signals from a series of tests on the client device may be used toselect one or more countermeasures to apply to content that is requestedfrom the client device. The state of the security server computer systemor an origin server computer system may also be used to select one ormore countermeasures. For example, in response to determining that theone or more signals indicate that the client device may be operated by abot rather than a real human operator and that the origin servercomputer system is under an increasing load, the security computersystem may select a countermeasure that slows the client device that ispresumed to be an automated bot. In this example, the countermeasure maybe a proof of work challenge, such as a hash generating function, alongwith the requested content.

2.1 Weighting Test Results or Signals

The security server computer system may select a countermeasure based onone or more signals. One or more signals, or one or more combinations ofsignals, may be more conclusive in determining whether a request is froma device controlled by a legitimate human user or an automated browseror bot. The selection of a countermeasure may be based on weightingsignals according to one or more rules to identify a particularcountermeasure or a countermeasure category to be employed whenresponding to the client device.

3.0 Example System and Process for Selecting and Sending Tests andCountermeasures

FIG. 1 illustrates a system for characterizing a client device, andselecting one or more countermeasures for a client device in an exampleembodiment. In FIG. 1, there is shown system 100 that centers oninteraction between client device 102 and security server computer 104over one or more computer networks, such as network 199. In general,system 100 is arranged so that security server computer 104, which maybe one or more server computers, sends testing code to execute on clientdevice 102 to test, or retrieve the state of, client device 102 or oneor more programs executing on client device 102, and return signals thatare indicative of the context or state of client device 102. FIG. 1illustrates a client device, client device 102, making requests forcontent to, or executing tests or countermeasures from, a securityserver computer, security server computer 104. However, in otherembodiments, one or more client devices can make requests for contentto, or execute tests or countermeasures from, one or more securityserver computers. The one or more security server computers, such assecurity server computer 104, may combine signals from client computersusing one or more rules to select one or more security countermeasuresto employ with respect to interactions with client device 102.

A content system (not shown in FIG. 1) may operate in conjunction withsecurity server computer 104. The content system may serve one or moreweb pages or other resources using an origin server computer system thatmay be responsive to a web browser or other application executing onclient device 102. Security server computer 104 may share the samehardware with such a content system or may act as a physical and logicalintermediary to such a content system. For example, security servercomputer 104 may be located at a different site than that of the contentsystem. Security server computer 104 may be operated by a differentbusiness entity than the content system. An organization that producessecurity server computer systems and software may offer their productsand/or services as a proxy front-end to various different organizationsthat serve web content.

3.1 Transmission Handler

Transmission handler 110 may interact with client device 102.Transmission handler 110 may gather information about clients that arerequesting resources or determine which tests, countermeasures, orcontent to send to client devices based on one or more signals that aregathered. The content may be from an underlying origin server computersystem. Decisions about which tests, countermeasures, or content to sendcan be based on data that is independent of a particular client device,such as a current system load on an origin or security server computersystem and trends in that load. Additionally, or alternatively,decisions about which tests, countermeasures, or content to send to aparticular client device can be based on signals that are specific tothe particular client device, such as device ID information and resultsof tests that are served to and performed on the particular clientdevice and indicate whether the particular client device is being usedby a human user or controlled by a bot.

Transmission handler 110 may comprise or access a library of tests orcountermeasures, such as client test database 112 and countermeasuredatabase 114. Security server computer 104 or transmission handler 110may send the tests to a client device that has requested content orother resources, such as client device 102, or an application executedon the client device, such as browser 106.

Transmission handler 110 may associate one or more tests orcountermeasures with one or more categories. For example, one or moretests or countermeasures may be associated with a network configuration,device, browser, user, malware, attack, website, content, or one or morecharacteristics of a client computer, the network configuration of theclient computer, or software running on the client computer.Transmission handler 110 may serve tests or countermeasures based on theone or more categories associated with the tests or countermeasures. Forexample, a set of one or more tests for determining whether to a clientdevice is a mobile device may be associated with a mobile devicecategory, transmission handler 110 may send one or more tests associatedwith the mobile device category in response to a request from a clientdevice that purports to be a mobile device or has returned signals thatindicate the client device is a mobile device.

Each category may have one or more parameters. A parameter may identifya type of the device, such as mobile, desktop, or tablet. A parametermay identify or describe a type of the content requested, such aspassive, interactive with forms, or login page. A parameter may identifysecurity or threat level for a device or content, such as devices withcertain IP addresses are higher risk, or content of a particular type ishigher risk.

Transmission handler 110 may be programmed with various rules, and maygenerate additional rules based on machine learning methods that useprior applied countermeasures tested against prior client devicecharacteristics, and map various signals to various characteristic ofcountermeasures. For example, one signal may indicate that a clientdevice is not what it says it is, and that it might be a bot. Anothersignal may indicate that a particular origin server computer system isexperiencing a precipitous increase in request volume. A rule may takeeach of those signals, along with one or more other signals, and outputan identifier that characterizes a type of countermeasure to bedeployed, such as an anti-DoS countermeasure. Various countermeasures incountermeasure database 114 may be tagged as being such sorts ofcountermeasures, and may also be tagged with other characteristics.Transmission handler 110 may match the output of the rule to the closestmatching countermeasure or countermeasures, and may then deploy thosecountermeasure(s) to the requesting client along with the content theclient requested. In the DoS example here, the countermeasure may be aproof of work countermeasure, and security server computer 104 may servecode to client device 102 for carrying out that countermeasure alongwith code from an origin server computer system with which the user willinteract, where the proof of work code may execute in the background (toensure that client device 102 does not submit another request tooquickly, such as it could in less than a fraction of a second if it wereoperated by a bot) while the user interacts with the content.

3.2 Client Device

Client device 102, or one or more components in client device 102, mayrun one or more tests and generate one or more signals. For example,when client device 102 makes a request for resources, security servercomputer 104 may select one or more tests written in JavaScript andserve the tests to client device 102. Browser 106 on client device 102may execute the JavaScript tests and return signals from the tests.Code, such as HTML code, from a content server may include a referenceto code on security server computer 104. Security server computer systemmay select one or more tests or countermeasures as return the tests orcountermeasures to client device 102. Browser 106 may render the HTMLcode and call the JavaScript tests to produce signals that client device102 may send to security server computer 104.

3.2.1 Test Environment

The served code or test code may include code that executes the tests ordefine or instantiate a managed environment that execute the tests. Forexample, the served code may define or instantiate test environment 108within browser 106 or other application executing on client device 102.Test environment 108 may launch the tests, control interactions betweenmultiple independent tests that have been provided by security servercomputer 104, collect one or more signals generated by execution of thetests, and send the one or more signals back to transmission handler 110of security server computer 104. Additionally, or alternatively, eachtest of the one or more tests may operate as a separate process onclient device 102. Test environment 108 may receive, aggregate or bundleone or more signals generated by one or more tests, encode the one ormore signals to hamper or prevent tampering, and send the one or moresignals to transmission handler 110 of security server computer 104.

3.3 Example Process for Selecting One or More Tests or Countermeasures

FIG. 1 also illustrates a process that the described components mayemploy in an example embodiment. This particular process is provided forpurposes of illustration, and other processes may be employed, includingprocesses that use some or all of the steps discussed here, and that usethem in an order different than that discussed here.

3.3.1 Selecting and Sending a First Set of Tests

In Step 1, a request is sent from client device 102 to security servercomputer 104. The request may be made to an underlying content system,and may be intercepted by security server computer 104 acting as a proxyto the content system. Additionally, or alternatively, client device 102may send the request in response to a reference to security servercomputer 104 in content received from a content server computer. Therequest may be in the form of a simple HTTP request that identifiesresources by a URI and may or may not also include one or moreparameters associated with the request. For example, parameters mayencode a query directed at the resources, so that the deliveredresources are responsive to the query.

In step 2, security server computer 104 fetches one or more tests fromclient test database 112. Such action may occur after transmissionhandler 110 decodes and parses the received content request if therequest is a request for content. The transmission handler may alsoforward all or part of the content request to an origin server computersystem that security server computer 104 is tasked with protecting. Theorigin server computer system may then return the content to securityserver computer 104. The obtaining of content may also occur later, suchas after tests of client device 102 are completed.

Transmission handler 110 may categorize or profile client device 102,browser 106, the request, the requested content, the content serverproviding the content, or one or more related countermeasures in orderto identify tests that may be appropriate to serve to the client device.For purposes of illustrating a clear example, assume that a request forcontent is received from client device 102, the content that is private,and client device 102 purports to be a mobile device. In response,transmission handler 110 may apply weights, a formula, or a lookup tableto retrieve one or more tests that are associated with one or morecategories that target a mobile device or private content. Also forpurposes of illustrating a clear example, assume that a request is forcontent that is small from a content server, public, andnon-interactive. In response, transmission handler 110 may determinetesting and countermeasures are not required, and security servercomputer 104 may request the content from the content server computer,receive the content from a content server computer, and forward thecontent to client device 102 unchanged—without any tests orcountermeasures. Accordingly, in this example, the content sent toclient device 102 may be in the same form as transmission handler 110received the content from the content server computer.

In step 3, security server computer 104 serves the tests to clientdevice 102. For example, transmission handler 110 sends the one or moreselected tests to browser 106 on client device 102.

3.3.2 Receiving Signals from the First Set of Tests

In step 4, client device 102 executes the tests. For example, testenvironment 108 or browser 106 may execute the JavaScript that definethe tests. The tests performed may interact with one or more subsystemsor one or more processes executing on client device 102. The tests mayattempt to interact with a user of the device. The tests may receivereadings from one or more sensors on the device. The readings mayinclude information about spatial acceleration or other motion of thedevice coordinated with the time at which characters are entered intothe device.

In step 5, client device 102 sends the signals back to security servercomputer 104. For example, test environment 108 may send the signalsgenerated in step 4 to transmission handler 110. Such transmission maybe cloaked so that it looks from the outside like an ordinarytransmission, so that malicious code cannot readily identify that such areport is being provided. For example, test environment 108 may encodeor encrypt the signals generated in step 4 and send, to transmissionhandler 110, the encoded or encrypted signals with another request fromclient device 102 for additional content.

3.3.3 Selecting and Sending a Second Set of Tests Based on the First Setof Tests

In step 6, security server computer 104 fetches additional tests. Again,such action may take place by applying rules to features of the content,client device 102, or both—and additionally in this cycle, by applyingrules to the signals received from the first round of testing. Forexample, one or more signals may indicate a lack of motion when data wasentered, which may indicate that the data entry was by a bot or not on amobile device; however, a lack of motion may indicate that the useremployed a wireless keyboard to enter the data. Thus, the second roundmay select one or more different, more robust, or more intrusive teststhat are determined to be complementary to the result of the first roundof testing and further attempt to identify whether client device 102 isa mobile device.

In different implementations and situations, a different number ofrounds of serving testing code may be performed. For example, a systemmay also send only one round of testing code, or zero rounds if thecontent profile and/or device profile indicates that testing is notneeded, such as when both indicate a low-risk environment. A system mayperform multiple rounds, and each round may always be directed to aparticular class of goals. For example, tests in a first round may bedirected to determining whether a device is what it says it is (thoughthe header or other information). Tests in another round may be directedto determining whether foreign code is running on the device, andcharacterizing the foreign code. In yet other implementations, thevalues of signals received back from a first round of testing may affectwhether a second round is performed. For example, if the first signal(s)indicate that the device is low-risk, then a second round may beavoided, but if they indicate that the device is high-risk, then asecond round may be performed.

In step 7, security server computer 104 again serves test code to clientdevice 102 as discussed in step 3. In step 8, client device 102 performstests in the second round of testing as discussed above in step 4. Instep 9, client device 102 sends the signals to security server computer104 as discussed above for the first round of results or signals in step5.

3.3.4 Receiving Signals from the Second Set of Tests and Selecting a Setof Countermeasures

In step 10, security server computer 104 or transmission handler 110fetches one or more countermeasures from countermeasure database 114.Such fetching may come as a result of the transmission handler orrelated structure evaluating the signals received from the second roundof testing and optionally the signals received from the first round oftesting. Transmission handler 110 may select one or more countermeasuresbased rules applied to one or more signals. For example, if one or moresignals are associated with one or more categories, then transmissionhandler 110 may select one or more countermeasures associated with thosecategories. The one or more signals may be received or derived from oneor more previous rounds of testing, features of a request, features ofrequested content, features of a content server computer, feature of aclient computer, or more other features as discussed herein. Forexample, a rule may select a DoS-avoiding countermeasure when thesignals indicate that client device 102 might be under the operation ofa bot, and other signals indicate that a DoS attack may be beginning forthe content server computer that is served by security server computer104. Certain countermeasures may be served regardless of the receivedsignals, such as countermeasures that transcode content from the originserver computer system in polymorphic manners to stymie attempts bymalicious code to interact with or analyze the content from the originserver computer system.

3.3.5 Executing or Sending the Set of Countermeasures to the ClientComputer

In step 11, security server computer 104 serves code to client device102. The served code in this instance may include the code that wasrequested from the origin server computer system in the content requestof step 1, whether in its original form or in a transformed form. Theserved code may include code for implementing the selectedcountermeasures, such as proof of work code, code to monitor to theexecution of the origin server computer system code to ensure it is notbeing interfered with by malicious code, or other countermeasures. Inthe current example, countermeasures are sent to the client computerafter sending two sets of one or more tests and receiving two sets ofone or more signals. However, security server computer 104 may stopsending tests or send one or more countermeasures after security servercomputer 104 has enough signals to pick one or more countermeasures.

In step 12, client device 102 executes the code. For example, browser106 may execute the countermeasures sent in step 11. Such execution mayinvolve parsing or executing code and fetching and executing JavaScriptor other code referenced in the markup code. Such action may result inadditional signals being sent back to security server computer 104, suchas to be used in subsequent servings of code to client device 102 or toother devices. The process shown in FIG. 1 can be repeated each timeclient device 102 makes a request, such as each time a user of thedevice navigates to a different web page of a web site.

In one or more examples herein, the requested content is sent to therequesting client computer with one or more countermeasures after datafrom one or more tests have been received. Additionally oralternatively, the requested content can be sent with one or more of thetests. One or more additional tests or one or more countermeasures canbe sent with subsequently requested content, such as another web page.Additionally or alternatively, one or more tests or countermeasures canbe sent asynchronously from the requested content.

4.0 Configurations

A security server computer may be deployed in various configurations ormodes. A security server computer may be deployed or use multiple modesor configurations concurrently.

4.1 Passive or Reporting Mode

Taking an action against the web request is not necessary: the securityserver computer system could operate in a passive or reporting mode.This passive mode may report (for example, back to a central analysissystem that aggregates data across many clients and servings) what thesystem would have done with the traffic had the system been in ablocking or other mode or may simply report features of the traffic.

4.2 Active Mode

In active mode, a client computer server may take actions that includebut are not limited to blocking, passing, logging, applying a contentbased countermeasure in the response to the request, throttling orvarious combinations of these actions or other actions.

4.3 Real-Time Mode

The security server computer system can operate in (a) real-time mode or(b) not real-time. In real-time mode, the security may select one ormore countermeasures, make one or more security decisions based on thedata or signals collected and a configurable rule set.

In not real-time operation, the security server computer system receivesthe signals but not the web requests for content. On the basis of thesignals received and configurable rules, the decision engine analyzesthe request and reports a security or other decision.

4.4 In-Band and Out-Of-Band Configuration

The secure delivery of signal data discussed herein can be accomplishedin-band or out-of-band. In an in-band configuration, the securitycomputer system may be a proxy or intermediary computer that isphysically or logically between a client computer and a content servercomputer. The security server computer can act as a gatekeeper, andblock requests from being sent from the client computer to the contentserver computer. A client computer may send signals within one or morerequests for content. The payload in a response to a request in anin-band solution may include the content that was requested and one ormore tests or countermeasures included or incorporated into the content.

In out-of-band configuration, the security server computer system is notplaced between a client device and an origin server computer, and thusneed not intercept communications between a client computer and anorigin server computer. In an out-of-band configuration, a requestreceived by security server computer 104 need not be a request forcontent to a content server computer that security server computer 104is protecting. The payload in a response to an out-of-band request maybe delivered asynchronously and without content from a content servercomputer.

5.0 Example Interactions Between Client Computers and a Security ServerComputer

FIG. 2 illustrates a system and timeline over which various clientdevices submit requests that include a challenge solution or signal to asecurity server computer system in an example embodiment. A challengemay be a test or countermeasure. A challenge solution may be a signal orresponse to a countermeasure that can be used to allow or rejectionrequests from a client computer. Such challenge solutions may be used aspart of testing like that described above to characterize aspects of theclient device and obtain signals from such characterization. Thechallenge solutions may also be used after the testing, such as wherethe testing indicates that the client device may be a bot, and theserving of the challenge solution is aimed at slowing the bot down.

In FIG. 2, timeline 201 conceptually depicts that particular requestsmay be accepted and others denied. For example, at time T1, in timeline201, security server computers 204 provide content to client computer202 a. In response, client computer 202 a solves a first challengeincluded in the content, and submits a request to initiate a webtransaction (for example, to add items to an electronic shopping cart).The solution is accurate, and other aspects or signals of the requestmay be verified. Security server computers 204 may thus accept the firstrequest from first client computer 202 a so that the requestedtransaction can be performed. Security server computers 204 may storedata in an anti-replay log indicating that solution 1 was received froma client computer or that a correct solution was received from theclient computer.

Later, at time T2, in timeline 201, client computer 202 a re-submits arequest that includes the same solution to the first challenge. Securityserver computers 204 may check the anti-replay log and find that thesolution to the first challenge has already been submitted at an earliertime, and for that reason the request may be deemed invalid. Securityserver computers 204 may terminate the request at time T2.

At time T3, in timeline 201, security server computers 204 send a new,second challenge to client computer 202 b. Rather than solving thesecond challenge that client computer 202 b was provided, clientcomputer 202 b submits a counterfeit solution, such as no solution or asolution to a challenge that was illegitimately generated by attackersin advance of the second challenge being served. Security servercomputers 204 may detect that the counterfeit solution is invalid,indicating that the solution or challenge may have been manipulated.Accordingly, security server computers 204 reject, terminate or do notaccept the request at time T3 from client computer 202 b.

At time T4, in timeline 201, security server computers 204 serves, toclient computer 202 c, a third challenge with parameters that aredifferent from either of challenges 1 or 2. Client computer 202 c may beinfected with malware and under the control of a botnet. In anotherattempt to subvert the challenge, client computer 202 c does not wait todetermine a solution to the third challenge, but instead submits asolution to the first challenge that was provided by client computer 202a at time T1. However, because solutions to the first challenge havealready been included in requests to security server computers 204 asindicated by the anti-replay log, the request made by client computer202 c at time T4 is denied. Accordingly, FIG. 2 generally illustrateshow various safeguards may be implemented to ensure the integrity ofchallenges. Security server computers 204 can validate requests by notonly checking whether a solution proffered in a request is accurate, butalso by checking that a challenge and solution are not being replayed,and by checking that the challenge has not been manipulated.

6.0 Example Network Configuration

FIG. 3 illustrates an example network topography for communicatingrequests and content between origin server computers and clientcomputing devices via a security server computer and a content deliverynetwork (CDN). Generally, the diagram in FIG. 3 is provided as aframework to describe various manners in which the methods, systems,devices, and other techniques described herein may be arranged toimplement user-agent (client) challenges for the improvement of websecurity, including as part of a process of gathering signals to use inthe selection of countermeasures to be deployed with the serving ofrequested code.

FIG. 3 shows, by way of example, how various stages of processing forthese techniques may be carried out by particular components of network300, such as by origin server computers 302, security intermediarycomputer 304, CDN server computers 308, or client devices 310. However,the particular configurations described in these drawings are providedas examples only. In some implementations, certain of the processingstages may occur at other ones of the network components than thecomponents that are explicitly provided in the figures, or may bedistributed among multiple components.

In FIG. 3, electronic content, such as electronic resources or webpages, may be transmitted to client devices using CDN 306. CDN 306,along with origin server computers 302 and security intermediarycomputer 304, can be geographically separated and physically distinctfrom client devices 310 that form endpoints of network 300. Accordingly,origin server computers 302, security intermediary computer 304, and CDN306 are all shown as being located at least partially within the cloud312. Thus, from the perspective of one of client devices 310, requestand responses may appear to be sent and received generally to and from anetwork in the cloud 312, although distinct components within thenetwork may handle different aspects of processing communications with aclient device among client devices 310. Client devices 310 may be any ofvarious types of computing devices that may communicate over a network,such as mobile devices (for example, smartphones, tablet computers,wearable computers), notebook computers, or desktop computers. Clientdevices 310 may, for example, use web browsing applications to accessand to execute web pages or other content over the internet or othernetwork. The web browsing applications may have a JavaScript engine, forexample, that can run challenges written in JavaScript or other suitablelanguages.

CDN 306 can include CDN server computers 308 in distributed data centersacross a plurality of geographically dispersed locations. Differentindividual server computers in CDN server computers 308 or groups of CDNserver computers 308 may each represent a node in CDN 306 at an edge ofnetwork 300. The nodes may be located at the edges of network 300because they are proximate to the client devices 310, and are thuscloser in network 300 to client devices 310 than are other componentssuch as origin server computers 302. CDN 306 may be configured todeliver content hosted by origin server computers 302 to client devices310 with high availability and performance. CDN server computers 308 inCDN 306 can act as intelligent intermediaries between origin servercomputers 302 and client devices 310. For example, when a client deviceamong client devices 310 submits a request for content on a domainhosted by origin server computers 302, CDN 306 can intelligently directthe request to CDN server computers 308 at a particular node of CDN 306that is determined to be best situated to handle the request. An optimalnode of CDN 306 to handle the request may be selected based on factorssuch as the distance between the node and the requesting client deviceamong client devices 310, the present availability of the node, and thenature of the particular content being requested. For example, theoptimal node may be the node that is located closest to a particularclient device of client devices 310 that submitted a request. Thedistance or closeness between a node and a client device may be measuredby the expected time for communications to be transmitted between thenode and the client, or as measured by the node that is the fewestnumber of network hops away from the client). The optimal node of CDN306 can process the request and determine how to handle it in anefficient manner. In some implementations, each of the nodes orcomputers in CDN 306 may cache content from origin server computers 302,so that the nodes may respond to requests from client devices 310 withcached content, when the requested content has been cached, rather thanpinging origin server computers 302 to obtain the content for eachrequest. In this way, CDN 306 can significantly reduce the load onorigin server computers 302 due to the distributed network of CDN servercomputers 308 handling requests for popular, cached content. CDN 306 canalso help to improve the response times for handling requests due to theadditional computing capacity provided by CDN server computers 308, andthe distribution of requests to optimally selected nodes that may belocated closest to the respective client devices 310 that have maderequests over network 300.

Client devices 310 may request web content from origin server computers302, which may include a system of one or more computers. Origin servercomputers 302 may serve various types of content, such as web code (forexample, HTML, JavaScript, Cascading Style Sheets) for web pages, mediafiles, applications, and more. Origin server computers 302 may alsoexecute server-side applications that power services delivered to clientdevices 310. For example, origin server computers 302 may host ane-commerce website. Origin server computers 302 may host text, web code,images, and other media files that are part of the website, and may runvarious server-side applications to dynamically generate contentspecific to particular requests.

In some implementations, network 300 may include security intermediarycomputer 304. Security intermediary computer 304 may include one or morecomputers that are located in network 300 between and distinct fromorigin server computers 302 and client devices 310. In someimplementations, security intermediary computer 304 may be proximate toorigin server computers 302, and may be located between CDN servercomputers 308 of CDN 306 and origin server computers 302. For example,security intermediary computer 304 may be arranged as a reverse proxy ora full proxy in front of origin server computers 302. When arranged as areverse proxy, security intermediary computer 304 may intercept all or aportion of incoming communications for origin server computers 302, suchas communications forwarded from CDN 306, but not client requests thathave been blocked by CDN 306, and may process all or a portion ofoutbound communications from origin server computers 302. In someimplementations, security intermediary computer 304 may operate incoordination with various sites at multiple domains, which sites may behosted on a common set of origin server computers 302, or on respectivesets of origin server computers for each of the domains/sites. Securityintermediary computer 304 may be implemented on dedicated computers thatare physically distinct from the computers for origin server computers302. In some implementations, security intermediary computer 304 may beimplemented, not on physically separate hardware, but as one or moremodules on origin server computers 302. In some implementations, one ormore security intermediary computers may be provided at all orparticular ones of the nodes in CDN 306, and may be implemented assoftware modules within CDN server computers 308 of CDN 306 or asdedicated hardware co-located with CDN server computers 308 of CDN 306.

Generally, security intermediary computer 304 may be programmed toperform one or more types of transformation on electronic content thatis to be served to client devices 310, in addition to other operationssuch as the serving of code to perform tests of requesting clients. Forexample, security intermediary computer 304 may re-code content that isoutputted from origin server computers 302, and may apply reversetransformations to requests made from a re-coded web page on a clientdevice among client devices 310 so that the request is recognizable byorigin server computers 302. Similarly, for security intermediarycomputer 304 distributed in CDN 306, security intermediary computer 304may re-code content to be served to client devices 310 from CDN servercomputers 308, and may apply reverse transformations to requests fromclient devices 310 from a re-coded web page so that the request may berecognized by CDN server computers 308. In some implementations,security intermediary computer 304 may be configured to performoperations like those carried out by security server computer 104 insystem 100 (FIG. 1), security server computers 204 in system 200 (FIG.2), or security server computers 602 a-602 n of system 600 (FIG. 6). Forexample, security intermediary computer 304 may re-code portions of theweb code for a web page that is to be served to a client device ofclient devices 310. The re-coding can involve applying randomtransformations to select portions of the original code, to obscure anoperational design of origin server computers 302 and/or CDN servercomputers 308. In some implementations, security intermediary computer304 may randomize elements of a web page's implicit API, such as formnames, attribute values, and hyperlink addresses, to interfere with theability of malware at client devices 310 to exploit the implicit API toperform fraudulent transactions or other malicious actions. Securityintermediary computer 304 may re-code content differently each time itserved, for example, to create a moving target that may prevent botsfrom predicting how a page will be re-coded in any particular instance.In some implementations, security intermediary computer 304 may re-codecontent in other manners as well, such as inserting decoy code,randomizing HTML tag names, and splitting form fields into multiplefields that each accept a portion of content typed by a user.

In some implementations, security intermediary computer 304 mayinstrument electronic content that is to be served to a client device ofclient devices 310 with code (for example, JavaScript) programmed tocollect information about client devices 310 that execute the content,and about interactions with the content at client devices 310—and thatreturns signals to the security intermediary that characterizes suchtesting. The instrumented code may then report the collected informationover a network to security intermediary computer 304 or to anotherportion of a computing system for analysis.

Such a challenge may be generated at a set of origin server computers.For example, a web page, shopping.html, can be supplemented with thechallenge code at the origin server computers as well, and thesupplemented code can then be served to the client computer through anode in a content delivery network. When the client computer thereaftersolves the challenge test and submits a request, the node in the contentdelivery network can validate the solution, and can take action toeither allow or deny the request based on the determined validity of thesolution.

Various stages in the process may take place at different ones of thecomponents depicted in network 300 of FIG. 3. For example, the challengemay be generated and inserted into electronic content being served atany one of origin server computers 302, security intermediary computer304, and one or more nodes of the CDN 306. Similarly, any one or more ofthese components may be configured to validate a solution provided by aclient device among client devices 310. In some implementations,security intermediary computer 304 proximate to the origin servercomputers 302, or proximate to the nodes in CDN 306, may both generateand insert the challenge, and may also validate solutions to thechallenge from client devices 310. In some implementations, originserver computers 302 or CDN server computers 308 may generate and insertthe challenge, and validate solutions, or otherwise evaluate signalsfrom this and other testing performed on the devices.

In some implementations, in the absence of a CDN 306, securityintermediary computer 304 acting as a proxy to origin server computers302 may implement challenges and validate their solutions. For example,security intermediary computer 304 may intercept an outbound web pagefrom origin server computers 302, may generate and insert a challengeinto the web page, and may then transmit the re-coded web page thatincludes code for the challenge to one of client devices 310. When aclient device among client devices 310 submits a solution to thechallenge, the security intermediary can again intercept thecommunication before it reaches the origin server computers 302, and candetermine whether the solution is valid. If the solution is determinedto be valid, the communication can be provided to the origin servercomputers 302. If not, the communication may be blocked.

In some implementations, client devices 310 can communicate with originserver computers 302 directly, without either security intermediarycomputer 304 or CDN 306. In these implementations, origin servercomputers 302 may generate the challenge, supplement the content to beserved with the challenge, and also determine whether solutions fromclient devices 310 are valid. If a solution is determined to be valid,the origin server computers 302 may act on the request (for example, mayinitiate a web transaction specified in the request). If a solution isnot determined to be valid, the origin server computers 302 may notrespond as requested. For example, the origin server computers 302 mayreturn an error page to the client device among client devices 310indicating that the requested transaction could not be performed.

7.0 Example Process for Testing a Client Computer and SelectingCountermeasures

FIG. 4 illustrates a process for testing client devices and selectingcountermeasures based on one or more signals in an example embodiment.The process involves transmitting code to a client computer after theclient computer requests content, receiving signals from the clientcomputer after the client computer has executed the tests, and sendingone or more countermeasures to the client computer based on the signalsthat were received. FIG. 5 is a swim lane diagram of for selecting andupdating security countermeasures for a client device in an exampleembodiment. The process in FIG. 5 comprises the steps in process 400with additional detail for the example process.

In step 402, a security server computer receives a request for webcontent from a client computer. Such a request may take the form of anHTTP or similar request from a web browser of a client device, and maybe intercepted by a security intermediary that is acting as a proxy orreverse proxy for one or more origin server computers. For purposes ofillustrating a clear example, assume that the web content that wasrequested is hosted on a single origin server computer.

In step 404, the security intermediary identifies characteristics of theclient computer and selects one or more tests. For example, informationthat is part of the request may partially characterize the client byidentifying the device type of the client computer or an IP addresspurporting to identify a location of the client computer (or a proxythrough which the client computer is communicating). As discussed above,the security intermediary computer may select one or more tests based oncharacteristics about the client computer or characteristics of therequested content, which may have been retrieved and analyzed toidentify such content characteristics, along with one or more signals.

In step 406, the security intermediary computer may parse the requestand obtain the requested content from the origin server. In addition tothe test selected in step 404, or in alternative to selecting tests instep 404, the security intermediary computer may select one or moretests using rules based on information received from the client,information about the requested content, information about a currentsecurity status of the security intermediary and origin servercomputers, or any other data discussed herein.

In step 408, the security intermediary server computer serves theselected tests and the requested content to the requesting clientcomputer. Serving the selected tests may involve packaging the testswith an executing environment in which the tests can execute, andincluding mechanisms for gathering and encoding signals generated fromthe tests.

In step 410, the client computer performs the served tests and generatesresults from such performance. The results may then be packaged witheach other as signals that indicate characteristics of the device and ofprocesses executing on the device that may be relevant to selectingadditional follow-up tests and/or to select security countermeasuresthat are especially tailored to work with respect to the client computerand its characteristics.

In step 412, through a test environment created by code served from thesecurity intermediary in step 408, the client computer aggregates andpackages the test result signals in a communication that is protectedfrom snooping or alteration, and returns the signals in the package tothe security intermediary computer.

In step 414, the intermediary computer receives and evaluates thosesignals and optionally selects one or more tests based on those signals.Such tests may be selected to obtain clarification of problems that mayhave been identified by a previous round of tests, such as by having thefollow-up tests address the same characteristic of the client computer,but doing so in a different manner or using a different method to moreaccurately determine one or more characteristics of the client computer,browser on the client computer, or other application running on theclient computer.

In step 416, the intermediary computer serves the one or more additionaltests selected in step 414. The intermediary computer may serve the oneor more additional tests to the client computer as discussed hereinincluding step 408.

In step 418, the client computer receives the one or more additionaltests selected in step 416. The client computer also performs the one ormore additional tests to produce one or more additional signals.

In step 420, the client computer sends the signals generated from thefollow-up tests to the intermediary computer using one or more of themethods discussed herein.

In step 422, the intermediary server computer may select one or morecountermeasures based on the signals from the first round of tests,signals from the second round of tests, rules, additional signals fromone or more additional rounds, or one or more other features discussedherein. Such signals from the two different rounds may be related toseparate aspects of the client device, such as an initial round directedto determining whether the device has the characteristics that itadvertises, and a second round determining what sort of processes areexecuting on the device to determine whether any of them is malicious.

In step 424, the intermediary computer packages the requested content instep 402 with the one or more countermeasures selected in step 422. Forexample, the intermediary computer may append countermeasures to thecontent requested in step 422. For purposes of illustrating anotherclear example, assume that intermediary computer determined that theclient computer was executing a particular browser based on the signalsthat were received from the client computer. The intermediary computermay select a countermeasure that encodes data into a format that theparticular browser is known to support based on a rule that indicateswith the particular browser. Accordingly, the intermediary computer mayencode the content requested in step 402 into the particular format andinclude code that causes the particular browser to correctly decode thecontent.

In step 426, the intermediary computer serves the content and one ormore countermeasures to the client computer, and logs the results orsignals of the observations of the client computer. In particular,various signals or characterizations of the client computer may be savedinto a database that comprises signals and characteristic data from oneor more other client computers that have requested content or performedtests or countermeasures. Such gathering of data across a large numberof client computers may then be used in an aggregated manner to performanalysis to quickly identify and characterize emerging security threats,and to develop new and improved countermeasures to be served in thefuture against various threats.

In step 428, the client computer interacts with the served content. Forexample, a human user may fill in fields in a form generated by thecontent, and may submit such information. The process shown here may berepeated for the client computer, for each follow-up content requestmade by the client computer or each time a user of the client computernavigates to a new web page.

8.0 Example Network Configuration and Security Server Computers

FIG. 6 illustrates an example computer system for serving content,tests, or countermeasures in an example embodiment. In FIG. 6, thesystem 600 may be adapted to perform deflection and detection ofmalicious activity with respect to an origin server computer system. Thesystem 600 in this example is a system that is operated by or for alarge number of different businesses that serve web pages and othercontent over the internet, such as banks and retailers that have onlinepresences. Examples include online stores or online account managementtools. The main server computer systems operated by those organizationsor their agents are designated as origin server computers 604 a-604 n,and could include a broad array of origin server computers, contentserver computers, database server computers, financial server computers,load balancers, and other necessary components (either as physical orvirtual server computers).

A set of security server computers 602 a to 602 n are shown connectedbetween the origin server computers 604 a to 604 n and a network 610such as the internet. Although both extend to n in number, the actualnumber of sub-systems could vary. For example, certain of the customerscould install two separate security server computer systems to serve allof one or more origin server computer systems, such as for redundancypurposes. One or more particular security server computers of securityserver computers 602 a-602 n may be matched to particular ones of theorigin server computer systems 604 a-604 n, or they may be at separatesites, and all of the origin server computers for various differentcustomers may be provided with services by a single common set ofsecurity server computers 602 a-602 n. Security server computers 602a-602 n may be at a single co-location facility, which may minimizebandwidth issues.

Each computer of the security server computers 602 a-602 n may bearranged and programmed to carry out operations like those discussedabove and below and other operations. For example, a policy engine 620in each such security server computer system may evaluate HTTP requestsfrom client computers (for example, desktop, laptop, tablet, andsmartphone computers) based on header and network information, and canset and store session information related to a relevant policy. Thepolicy engine may be programmed to classify requests and correlate themto particular actions to be taken to code returned by the origin servercomputer systems before such code is served back to a client computer.

When such code returns, the policy information may be provided todecode, analysis, and re-encode module 624, which matches the content tobe delivered, across multiple content types (for example, HTML,JavaScript, and CSS), to actions to be taken on the content (forexample, using XPATH within a DOM), such as substitutions, addition ofcontent, and other actions that may be provided as extensions to thesystem. For example, the different types of content may be analyzed todetermine naming that may extend across such different pieces of content(for example, the name of a function or parameter), and such names maybe changed in a way that differs each time the content is served, forexample, by replacing a named item with randomly-generated characters.Elements within the different types of content may also first be groupedas having a common effect on the operation of the code (for example, ifone element makes a call to another), and then may be re-encodedtogether in a common manner so that their interoperation with each otherwill be consistent even after the re-encoding.

Both the analysis of content for determining which transformations toapply to the content, and the transformation of the content itself, mayoccur at the same time (after receiving a request for the content) or atdifferent times. For example, the analysis may be triggered, not by arequest for the content, but by a separate determination that thecontent newly exists or has been changed. Such a determination may bevia a “push” from the origin server computer system reporting that ithas implemented new or updated content. The determination may also be a“pull” from security server computers 602 a-602 n, such as by thesecurity server computers 602 a-602 n implementing a web crawler (notshown) to recursively search for new and changed content and to reportsuch occurrences to the security server computers 602 a-602 n, andperhaps return the content itself and perhaps perform some processing onthe content (for example, indexing it or otherwise identifying commonterms throughout the content, creating DOMs for it, etc.). The analysisto identify portions of the content that should be subjected topolymorphic modifications each time the content is served may then beperformed according to the manner discussed above and below.

Rules 622 may comprise one or more rules for performing analysis ofsignals or other features discussed herein. Rules 622 may define whichtest(s) or countermeasure(s) to select based on the one or more signalsor other features discussed herein. Rules 622 may also define one ormore rules encode, decode, or re-encoding content. Rules 622 may bepopulated with rules written or developed by a user or operator byobservation of particular content types, such as by operators of asystem studying typical web pages that call JavaScript content andrecognizing that a particular method is frequently used in a particularmanner. Such observation may result in rules 622 may comprise on or morescripts, data structures, or code to execute the scripts or process thedata structures, and perform the rules.

Decode, analysis, and re-encode module 624 encodes content being passedto client computers from an origin server computer according to relevantpolicies and rules. Decode, analysis, and re-encode module 624 alsoreverse encodes requests from the client computers to the relevantorigin server computer(s). For example, a web page may be served with aparticular parameter, and may refer to JavaScript that references thatsame parameter. Decode, analysis, and re-encode module 624 may replacethe name of that parameter, in each of the different types of content,with a randomly generated name, and each time the web page is served (orat least in varying sessions), the generated name may be different. Whenthe name of the parameter is passed back to the origin server computer,it may be re-encoded back to its original name so that this portion ofthe security process may occur seamlessly for the origin servercomputer.

A key for the function that encodes and decodes such strings can bemaintained by security server computers 602 a-602 n along with anidentifier for the particular client computer so that security servercomputers 602 a-602 n may know which key or function to apply, and mayotherwise maintain a state for the client computer and its session. Astateless approach may also be employed, whereby security servercomputers 602 a-602 n encrypts the state and stores it in a cookie thatis saved at the relevant client computer. The client computer may thenpass that cookie data back when it passes the information that needs tobe decoded back to its original status. With the cookie data, securityserver computers 602 a-602 n may use a private key to decrypt the stateinformation and use that state information in real-time to decode theinformation from the client computer. Such a stateless implementationmay create benefits such as less management overhead for security servercomputers 602 a-602 n (for example, for tracking state, for storingstate, and for performing clean-up of stored state information assessions time out or otherwise end) and as a result, higher overallthroughput.

Decode, analysis, and re-encode module 624 and security server computers602 a-602 n may be configured to modify web code differently each timeit is served in a manner that is generally imperceptible to a user whointeracts with such web code. For example, multiple different clientcomputers may request a common web resource such as a web page or webapplication that an origin server computer provides in response to themultiple requests in substantially the same manner. Thus, a common webpage may be requested from an origin server computer, and the originserver computer may respond by serving the same or substantiallyidentical HTML, CSS, JavaScript, images, and other web code or files toeach of the clients in satisfaction of the requests. In some instances,particular portions of requested web resources may be common amongmultiple requests, while other portions may be client or sessionspecific. Decode, analysis, and re-encode module 624 may be adapted toapply different modifications to each instance of a common web resource,or common portion of a web resource, such that the web code that it isultimately delivered to the client computers in response to each requestfor the common web resource includes different modifications.

Such modification may occur according to a process that analyzes thecode once for each time it changes in a material way, and then appliesthe analysis multiple times. For example, elements that can be changedwithout affecting the presentation of a web page may be located by wayof analysis, as may additional instances of those elements through allthe code (for example, HTML, CSS, and JavaScript). A mapping may be madeof the types and locations of such elements. Then, each time the code isto be served, the mapping may be used to place random characters orother substitute content in place of each occurrence of each suchelement. This repeated process may be performed, in certainimplementations, with much less computational overhead than would acombined reanalysis and substitution for every serving.

Security server computers 602 a-602 n can apply the modifications in amanner that does not substantially affect a way that the user interactswith the resource, regardless of the different transformations applied,even where different modifications are applied in responding to multiplerequests for a common web resource. For example, when two differentclient computers request a common web page, security server computers602 a-602 n applies different modifications to the web codecorresponding to the web page in response to each request for the webpage, but the modifications do not substantially affect a presentationof the web page between the two different client computers. Themodifications can therefore be made largely transparent to usersinteracting with a common web resource so that the modifications do notcause a substantial difference in the way the resource is displayed orthe way the user interacts with the resource on different client devicesor in different sessions in which the resource is requested.

In some implementations, decode, analysis, and re-encode module 624 maybe configured to generate challenges, insert challenges, and validatesolutions to challenges that occur in requests from client computers.For example, decode, analysis, and re-encode module 624 may determineparameters for an HMAC/SHA-2 hashing challenge, and insert code intocontent to be served that causes a client to compute a solution to thechallenge.

An instrumentation module 626 is programmed to add instrumentation codeto the content that is served from an origin server computer. Theinstrumentation code is code that is programmed to monitor the operationof other code that is served. For example, the instrumentation code maybe programmed to identify when certain methods are called, when thosemethods have been identified as likely to be called by malicioussoftware. When such actions are observed to occur by the instrumentationcode, the instrumentation code may be programmed to send a communicationto the security server reporting on the type of action that occurred andother metadata that is helpful in characterizing the activity. Suchinformation can be used to help determine whether the action wasmalicious or benign.

The instrumentation code may also analyze the DOM on a client computerin predetermined manners that are likely to identify the presence of andoperation of malicious software, and to report to security servercomputers 602 a-602 n or a related system. For example, theinstrumentation code may be programmed to characterize a portion of theDOM when a user takes a particular action, such as clicking on aparticular on-page button, to identify a change in the DOM before andafter the click (where the click is expected to cause a particularchange to the DOM if there is benign code operating with respect to theclick, as opposed to malicious code operating with respect to theclick). Data that characterizes the DOM may also be hashed, either atthe client computer or security server computers 602 a-602 n, to producea representation of the DOM (for example, in the differences betweenpart of the DOM before and after a defined action occurs) that is easyto compare against corresponding representations of DOMs from otherclient computers. Other techniques may also be used by theinstrumentation code to generate a compact representation of the DOM orother structure expected to be affected by malicious code in anidentifiable manner.

As noted, the content from origin server computers 604 a-604 n, asencoded by decode, analysis, and re-encode module 624, may be renderedon web browsers of various client computers. Uninfected client computers612 a-612 n represent computers that do not have malicious codeprogrammed to interfere with a particular site a user visits or tootherwise perform malicious activity. Infected client computers 614a-614 n represent computers that do have malware or malicious code (618a-618 n, respectively) programmed to interfere with a particular site auser visits or to otherwise perform malicious activity. In certainimplementations, the client computers 612, 614 may also store theencrypted cookies discussed above and pass such cookies back through thenetwork 610. The client computers 612, 614 will, once they obtain theserved content, implement DOMs for managing the displayed web pages, andinstrumentation code may monitor the respective DOMs as discussed above.Reports of illogical activity (for example, software on the clientdevice calling a method that does not exist in the downloaded andrendered content) can then be reported back to the server system.

The reports from the instrumentation code may be analyzed and processedin various manners in order to determine how to respond to particularabnormal events, and to track down malicious code via analysis ofmultiple different similar interactions across different clientcomputers 612, 614. For small-scale analysis, each web site operator maybe provided with a single security console 607 that provides analyticaltools for a single site or group of sites. For example, the console 607may include software for showing groups of abnormal activities, orreports that indicate the type of code served by the web site thatgenerates the most abnormal activity. For example, a security officerfor a bank may determine that defensive actions are needed if most ofthe reported abnormal activity for its web site relates to contentelements corresponding to money transfer operations—an indication thatstale malicious code may be trying to access such elementssurreptitiously.

Console 607 may also be multiple different consoles used by differentemployees of an operator of the system 600, and may be used forpre-analysis of web content before it is served, as part of determininghow best to apply polymorphic transformations to the web code. Forexample, in combined manual and automatic analysis like that describedabove, an operator at console 607 may add, remove, or edit one or morerules to rules in rules 622, or apply one or more rules from rules 622,which guide the transformation that is to be performed on the contentwhen it is ultimately served. The rules may be written explicitly by theoperator or may be provided by automatic analysis and approved by theoperator. Alternatively, or in addition, the operator may performactions in a graphical user interface (for example, by selectingparticular elements from the code by highlighting them with a pointer,and then selecting an operation from a menu of operations) and rules maybe written consistent with those actions.

A central security console 608 may connect to a large number of webcontent providers, and may be run, for example, by an organization thatprovides the software for operating security server computers 602 a-602n—an organization separate from the organizations that serve thecontent. Such console 608 may access complex analytical and dataanalysis tools, such as tools that identify clustering of abnormalactivities across thousands of client computers and sessions, so that anoperator of the console 608 can focus on those clusters in order todiagnose them as malicious or benign, and then take steps to thwart anymalicious activity.

In certain other implementations, the console 608 may have access tosoftware for analyzing telemetry data received from a very large numberof client computers that execute instrumentation code provided by thesystem 600. Such data may result from forms being re-written across alarge number of web pages and web sites to include content that collectssystem information such as browser version, installed plug-ins, screenresolution, window size and position, operating system, networkinformation, and the like. In addition, user interaction with servedcontent may be characterized by such code, such as the speed with whicha user interacts with a page, the path of a pointer over the page, andthe like.

Such collected telemetry data, across many thousands of sessions andclient devices, may be used by the console 608 to identify what is“natural” interaction with a particular page that is likely the resultof legitimate human actions, and what is “unnatural” interaction that islikely the result of a bot interacting with the content. Statistical andmachine learning methods may be used to identify patterns in suchtelemetry data, and to resolve bot candidates to particular clientcomputers. Such client computers may then be handled in special mannersby the system 600, may be blocked from interaction, or may have theiroperators notified that their computer is potentially running malicioussoftware (for example, by sending an e-mail to an account holder of acomputer so that the malicious software cannot intercept it easily).

9.0 Implementation Mechanisms—Hardware Overview

FIG. 7 illustrates a computer system upon which an embodiment may beimplemented. In FIG. 7, system 700 can be used to carry out theoperations described in association with any of the computer-implementedmethods described previously, according to one implementation. System700 is intended to include various forms of digital computers, such aslaptops, desktops, workstations, personal digital assistants, servercomputers, blade server computers, mainframes, and other appropriatecomputers. System 700 can also include mobile devices, such as personaldigital assistants, cellular telephones, smartphones, and other similarcomputing devices. Additionally, the system can include portable storagemedia, such as, Universal Serial Bus (USB) flash drives. For example,the USB flash drives may store operating systems and other applications.The USB flash drives can include input/output components, such as awireless transmitter or USB connector that may be inserted into a USBport of another computing device.

System 700 includes processor 710, memory 720, storage device 730, andinput/output device 740. Each of the components 710, 720, 730, and 740are interconnected using system bus 750. Processor 710 is capable ofprocessing instructions for execution within system 700. The processormay be designed using any of a number of architectures. For example,processor 710 may be a CISC (Complex Instruction Set Computers)processor, a RISC (Reduced Instruction Set Computer) processor, or aMISC (Minimal Instruction Set Computer) processor.

In one implementation, processor 710 is a single-threaded processor. Inanother implementation, processor 710 is a multi-threaded processor.Processor 710 is capable of processing instructions stored in memory 720or on storage device 730 to display graphical information for a userinterface on input/output device 740.

Memory 720 stores information within system 700. In one implementation,memory 720 is a computer-readable medium. In one implementation, memory720 is a volatile memory unit. In another implementation, memory 720 isa non-volatile memory unit.

Storage device 730 is capable of providing mass storage one or moresecurity server computers. In one implementation, storage device 730 isa computer-readable medium. In various different implementations,storage device 730 may be a floppy disk device, a hard disk device, anoptical disk device, or a tape device.

Input/output device 740 provides input/output operations for system 100,system 200, network 300, or system 600. In one implementation,input/output device 740 includes a keyboard and/or pointing device. Inanother implementation, input/output device 740 includes a display unitfor displaying graphical user interfaces.

The features described can be implemented in digital electroniccircuitry, or in computer hardware, firmware, software, or incombinations of them. The apparatus can be implemented in a computerprogram product tangibly embodied in an information carrier, forexample, in a machine-readable storage device for execution by aprogrammable processor; and method steps can be performed by aprogrammable processor executing a program of instructions to performfunctions of the described implementations by operating on input dataand generating output. The described features can be implementedadvantageously in one or more computer programs that are executable on aprogrammable system including at least one programmable processorcoupled to receive data and instructions from, and to transmit data andinstructions to, a data storage system, at least one input device, andat least one output device. A computer program is a set of instructionsthat can be used, directly or indirectly, in a computer to perform acertain activity or bring about a certain result. A computer program canbe written in any form of programming language, including compiled orinterpreted languages, and it can be deployed in any form, including asa stand-alone program or as a module, component, subroutine, or otherunit suitable for use in a computing environment.

Suitable processors for the execution of a program of instructionsinclude, by way of example, both general and special purposemicroprocessors, and the sole processor or one of multiple processors ofany kind of computer. Generally, a processor will receive instructionsand data from a read-only memory or a random access memory or both. Theessential elements of a computer are a processor for executinginstructions and one or more memories for storing instructions and data.Generally, a computer will also include, or be operatively coupled tocommunicate with, one or more mass storage devices for storing datafiles; such devices include magnetic disks, such as internal hard disksand removable disks; magneto-optical disks; and optical disks. Storagedevices suitable for tangibly embodying computer program instructionsand data include all forms of non-volatile memory, including by way ofexample semiconductor memory devices, such as EPROM, EEPROM, and flashmemory devices; magnetic disks such as internal hard disks and removabledisks; magneto-optical disks; and CD-ROM and DVD-ROM disks. Theprocessor and the memory can be supplemented by, or incorporated in,ASICs (application-specific integrated circuits).

To provide for interaction with a user, the features can be implementedon a computer having a display device such as a CRT (cathode ray tube)or LCD (liquid crystal display) monitor for displaying information tothe user and a keyboard and a pointing device such as a mouse or atrackball by which the user can provide input to the computer.Additionally, such activities can be implemented via touchscreenflat-panel displays and other appropriate mechanisms.

The features can be implemented in a computer system that includes aback-end component, such as a data server, or that includes a middlewarecomponent, such as a content server or an Internet server, or thatincludes a front-end component, such as a client computer having agraphical user interface or an Internet browser, or any combination ofthem. The components of the system can be connected by any form ormedium of digital data communication such as a communication network.Examples of communication networks include a local area network (“LAN”),a wide area network (“WAN”), peer-to-peer networks (having ad-hoc orstatic members), grid computing infrastructures, and the Internet.

The computer system can include clients and server computers. A clientand server are generally remote from each other and typically interactthrough a network, such as the described one. The relationship of clientand server arises by virtue of computer programs running on therespective computers and having a client-server relationship to eachother.

While this specification contains many specific implementation details,these should not be construed as limitations on the scope of anyinventions or of what may be claimed, but rather as descriptions offeatures specific to particular implementations of particularinventions. Certain features that are described in this specification inthe context of separate implementations can also be implemented incombination in a single implementation. Various features that aredescribed in the context of a single implementation can also beimplemented in multiple implementations separately or in one or morecombinations. Moreover, although features may be described above asacting in certain combinations and even initially claimed as such, otherembodiments may include one or more combination of one or more featuresdiscussed herein.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the implementations described above should not beunderstood as requiring such separation in all implementations, and itshould be understood that the described program components and systemscan generally be integrated together in a single software product orpackaged into multiple software products.

Thus, particular implementations of the subject matter have beendescribed. Other implementations are within the scope of the followingclaims. In some cases, the actions recited in the claims can beperformed in a different order and still achieve desirable results. Inaddition, the processes depicted in the accompanying figures do notnecessarily require the particular order shown, or sequential order, toachieve desirable results. In certain implementations, multitasking andparallel processing may be advantageous.

10.0 Other Aspects of Disclosure

Using the networked computer arrangements, intermediary computer, orprocessing methods described herein, security in client-server dataprocessing may be significantly increased. Polymorphic techniquesdiscussed herein effectively reduce automated attacks. Consequently, oneor more various attacks, such as a denial of service (“DOS”) attack,credential stuffing, fake account creation, ratings or resultsmanipulation, man-in-the-browser attacks, reserving rival goods orservices, scanning for vulnerabilities, or exploitation ofvulnerabilities, are frustrated because object identifiers orpolymorphic hooks may change over time.

In the foregoing specification, embodiments of the invention have beendescribed with reference to numerous specific details that may vary fromimplementation to implementation. The specification and drawings are,accordingly, to be regarded in an illustrative rather than a restrictivesense. The sole and exclusive indicator of the scope of the invention,and what is intended by the applicants to be the scope of the invention,is the literal and equivalent scope of the set of claims that issue fromthis application, in the specific form in which such claims issue,including any subsequent correction.

What is claimed is:
 1. A computer system configured to improve securityof one or more server computers interacting with one or more clientcomputers, the system comprising: one or more processors; a memorycoupled to the one or more processors and storing a set of instructionsthat define a plurality of detection tests and which, when executed bythe one or more processors, cause the one or more processors to: select,from the plurality of detection tests, one or more first detection teststo be performed by a client computer; send, to the client computer, afirst set of detection instructions that define the one or more firstdetection tests, and which when executed causes generating a first setof results that identifies a first set of characteristics of the clientcomputer; receive the first set of results from the client computer;select one or more first countermeasures from a plurality ofcountermeasures based on the first set of characteristics identified inthe first set of results; send, to the client computer, a first set ofcountermeasure instructions that define the one or more firstcountermeasures.
 2. The computer system of claim 1, wherein: the firstset of characteristics indicates that the client computer is executingan instance of a particular browser; the one or more firstcountermeasures are targeted toward the particular browser; the one ormore first countermeasures are associated with the particular browser;and the one or more first countermeasures are selected based ondetermining that the one or more first countermeasures are associatedwith the particular browser.
 3. The computer system of claim 1, furthercomprising instructions which when executed cause the one or moreprocessors to: select, from the plurality of detection tests, one ormore second detection tests to be performed by the client computer,wherein the one or more second detection tests are different than theone or more first detection tests; send, to the client computer, asecond set of detection instructions that define the one or more seconddetection tests, and which when executed causes generating a second setof data that identifies a second set of characteristics of the clientcomputer; receive the second set of data from the client computer;wherein selecting the one or more first countermeasures from theplurality of countermeasures is also based on the second set of data. 4.The computer system of claim 3, wherein: a particular detection testamong the one or more first detection tests is associated with the oneor more second detection tests; the first set of results indicates aparticular result based on the particular detection test; the one ormore second detection tests are selected in response to determining thatthe first set of results included the particular result.
 5. The computersystem of claim 1, wherein the first set of results indicates that theclient computer is executing an instance of a particular browser thatmatches one or more characteristics of a first browser and a secondbrowser; wherein the computer system further comprises instructionswhich when executed cause the one or more processors to: select, fromthe plurality of detection tests, one or more second detection tests tobe performed by the client computer, wherein the one or more seconddetection tests are associated with the first browser and the secondbrowser, and the one or more second detection tests are different thanthe one or more first detection tests; send, to the client computer, asecond set of detection instructions that define the one or more seconddetection tests, and which when executed causes generating a second setof data that identifies a second set of characteristics of the clientcomputer; receive, from the client computer, the second set of data thatidentify the second set of characteristics; determine, from the secondset of characteristics, that the particular browser that is beingexecuted by the client computer is the first browser and not the secondbrowser; determine that the one or more first countermeasures areassociated with the first browser; wherein selecting the one or morefirst countermeasures from the plurality of countermeasures is based ondetermining that the one or more first countermeasures are associatedwith the first browser.
 6. The computer system of claim 1, wherein aparticular detection test, among the one or more first detection tests,detects whether a human user has provided input.
 7. The computer systemof claim 1, wherein a particular detection test of the one or more firstdetection tests detects whether the client computer was physicallymoved.
 8. The computer system of claim 1, further comprisinginstructions which when executed cause the one or more processors to:receive, from a server computer among the one or more server computers,one or more original instructions to be sent to a browser being executedon the client computer; send, to the client computer, the one or moreoriginal instructions with the first set of detection instructions;select, from the plurality of detection tests, one or more seconddetection tests to be performed by the client computer; send, to theclient computer, the first set of detection instructions that define theone or more first detection tests, and which when executed causesgenerating a first set of data that identifies the first set ofcharacteristics of the client computer.
 9. A method to improve securityof one or more server computers interacting with one or more clientcomputers, the method comprising: selecting, from a plurality ofdetection tests, one or more first detection tests to be performed by aclient computer; send, to the client computer, a first set of detectioninstructions that define the one or more first detection tests, andwhich when executed causes generating a first set of results thatidentifies a first set of characteristics of the client computer;receiving the first set of results from the client computer; selectingone or more first countermeasures from a plurality of countermeasuresbased on the first set of characteristics identified in the first set ofresults; sending, to the client computer, a first set of countermeasureinstructions that define the one or more first countermeasures; whereinthe method is performed by one or more computer processors.
 10. Themethod of claim 9, wherein: the first set of characteristics indicatesthat the client computer is executing an instance of a particularbrowser; the one or more first countermeasures are targeted toward theparticular browser; the one or more first countermeasures are associatedwith the particular browser; and the one or more first countermeasuresare selected based on determining that the one or more firstcountermeasures are associated with the particular browser.
 11. Themethod of claim 9, further comprising: selecting, from the plurality ofdetection tests, one or more second detection tests to be performed bythe client computer, wherein the one or more second detection tests aredifferent than the one or more first detection tests; sending, to theclient computer, a second set of detection instructions that define theone or more second detection tests, and which when executed causesgenerating a second set of data that identifies a second set ofcharacteristics of the client computer; receiving the second set of datafrom the client computer; wherein selecting the one or more firstcountermeasures from the plurality of countermeasures is also based onthe second set of data.
 12. The method of claim 11, wherein: aparticular detection test among the one or more first detection tests isassociated with the one or more second detection tests; the first set ofresults indicates a particular result based on the particular detectiontest; the one or more second detection tests are selected in response todetermining that the first set of results included the particularresult.
 13. The method of claim 9, wherein the first set of resultsindicates that the client computer is executing an instance of aparticular browser that matches one or more characteristics of a firstbrowser and a second browser, and the method further comprising:selecting, from the plurality of detection tests, one or more seconddetection tests to be performed by the client computer, wherein the oneor more second detection tests are associated with the first browser andthe second browser, and the one or more second detection tests aredifferent than the one or more first detection tests; sending, to theclient computer, a second set of detection instructions that define theone or more second detection tests, and which when executed causesgenerating a second set of data that identifies a second set ofcharacteristics of the client computer; receiving, from the clientcomputer, the second set of data that identify the second set ofcharacteristics; determining, from the second set of characteristics,that the particular browser that is being executed by the clientcomputer is the first browser and not the second browser; determiningthat the one or more first countermeasures are associated with the firstbrowser; wherein selecting the one or more first countermeasures fromthe plurality of countermeasures is based on determining that the one ormore first countermeasures are associated with the first browser. 14.The method of claim 9, wherein a particular detection test, of the oneor more first detection tests, detects whether a human user has providedinput.
 15. The method of claim 9, wherein a particular detection test,of the one or more first detection tests, detects whether the clientcomputer was physically moved.
 16. The method of claim 9, furthercomprising: receiving, from a server computer among the one or moreserver computers, one or more original instructions to be sent to abrowser being executed on the client computer; sending, to the clientcomputer, the one or more original instructions with the first set ofdetection instructions; selecting, from the plurality of detectiontests, one or more second detection tests to be performed by the clientcomputer; sending, to the client computer, the first set of detectioninstructions that define the one or more first detection tests, andwhich when executed causes generating a first set of data thatidentifies the first set of characteristics of the client computer.